I haven't used openvpn yet but I have several locations running ipsectunnels. Biggest network consists of 12 locations that are all connected to each other through the mainoffice (only location that has a static IP) which acts as vpn concentrator. This setup is only using pfSense's everywhere.
I also have another setup where a pfSense CARP cluster has VPN connections to a cisco pix, another pfSense and a sonicwall. Everything works smooth :-) For some examples how to configure the non pfSense systems see http://doc.m0n0.ch/handbook-single/#Example.VPN .
Before you start to set this up you need to do some subnetcalculations. If you use IPSEC for that and need the remote locations to talk to each other through the central location you need to use some bigger subnetmasks at the central unit.
the site 2 site is very simple to set up (with the pdf document)…. but is it also possible to connect 3 pfsense client machines to one openvpnserver-pfsensemachine and routed the networks behind the 3 pfsense machines......(i don't want to open to much external (firewall) ports
billm, I hope you're wrong about this. Here's why:
I have a client that needed some serious entropy available to an application. We purchased a hifn card to supplement /dev/random. FreeBSD does not create /dev/hwrandom, and from all appearances, speed of the customer's application went waaay up, and the deployment passed some certification process that I was not involved in. So….hmm.
Interesting stuff. Perhaps I should dig into this further? BTW, another option if I recall correctly would be to insert a sound card, get the driver working, get the block device for the mic-in, then take and have that constantly dumping to /dev/random too. (don't hold me to that, never personally tried it!)
Your not going to like to hear this but I went with IPSEC vpn's instead. The interface is much more reliable and pfsense's implementation will allow you to configure the server as a remote client portal. All the pfsense clients connect as if they were a site to site and it takes care of all routes beautifully. It doesnt matter if they are dynamic or static ip's with this conifig also. I will keep checking with OVPN and hopefully they will have all the kinks worked out soon.
Do NOT assign tun interfaces to pfSense interfaces, under ANY circunstance. If you're getting timeouts, you're missing a pass rule on WAN on your firewall rules or something like that. Again, I can't stress enough, DO NOT ASSIGN TUN INTERFACES!
Ah didn't figure that out - must be missing the "both" keyword in the "ports" keyword description. Thanks for pointing out. Yeah, right, the tunnel is supposed to be established between the two devices on the same port on both ends, as that makes maintaining the firewall ports easier and more transparent.
That howto needs some additional work. Seems there are some things not completely correct. You won't open up your network to the whole internet, only to authenticated clients that then have an encrypted connection to your site.
OpenVPN should work, as long as its standard UDP Port (1194) ist properly redirected to the pfSense box behind the Cisco. The other pfsense on the ADSL (I assume) line should work just fine. Anything further depends on the ip/netmasks used on either side and the mode used for openvpn. But at a first glance I can't see anything that should spoil the fun here - as long as the cisco is fowarding the openvpn-udp packets adressed for the public ip to the pfsense on its transfer-net (wan)
This is going to sound dumb, but just reload. Seriously.
It'll come back. If not, try leaving some cat food out on the front porch. Maybe it'll find it's way home then. ;D
We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.
Subscribe to our Newsletter
Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.